FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 07-19-2008, 05:11 PM
Ed Warner
 
Default bind update keeps messing up write-rights

Message: 7
Date: Sat, 19 Jul 2008 06:26:53 -0400
From: "Christopher K. Johnson" <ckjohnson@gwi.net>
Subject: Re: bind update keeps messing up write-rights
To: For users of Fedora <fedora-list@redhat.com>
Message-ID: <4881C16D.7010606@gwi.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Gijs wrote:
> Sam Varshavchik wrote:
>> Gijs writes:
>>
>>> Hey List,
>>>
>>> Not sure why this is happening so perhaps someone can explain this

>>> to me.
>>> Whenever I update bind it messes up/resets access rights on my
zone
>>> files. Now normally this wouldn't be a bad thing, but because
I have
>>> dynamic updates on, for which named creates journalizing files, I
>>> end up having non-writeable journalizing files. So after every
>>> update I end up having to manually change the access rights on my
>>> jnl files.
>>>
>>> Is anyone else having the same problem and/or is it supposed to be

>>> like this?
>>
>> You must have bind configured to run in chroot.
>>
>> rpm's %post script runs /usr/sbin/bind-chroot-admin where, if you
>> have chroot configured, it runs this lovely bit of code:
>>
>> chown -h root:named /var/named/* >/dev/null 2>&1;
>> chown -h root:named ${BIND_CHROOT_PREFIX}/var/named/* >/dev/null

>> 2>&1;
>> chown -h root:named /etc/{named,rndc}.* >/dev/null 2>&1;
>> chown -h root:named ${BIND_CHROOT_PREFIX}/etc/{named,rndc}.*
>> >/dev/null 2>&1;
>> chown -h named:named /var/log/named.log >/dev/null 2>&1;
>> chown -h named:named ${BIND_CHROOT_PREFIX}/var/log/named.log
>> >/dev/null 2>&1;
>> chmod 750 ${pfx}/var/named >/dev/null 2>&1;
>> chmod 640 ${pfx}/var/named/* >/dev/null 2>&1;
>> chmod 750 ${pfx}/var/named/*/. >/dev/null 2>&1;
>> chmod 660 ${pfx}/var/log/named.log >/dev/null 2>&1;
>> chown -h named:named
>> /var/named/{data{,/*},slaves{,/*},dynamic{,/*}} >/dev/null
2>&1;
>> chown -h named:named
>> ${BIND_CHROOT_PREFIX}/var/named/{data{,/*},slaves{,/*},dynamic{,/*}}
>> >/dev/null 2>&1;
>> chmod 770 ${pfx}/var/named/{data,slaves,dynamic} >/dev/null
2>&1;
>> chmod 660 ${pfx}/var/named/{data/*,slaves/*,dynamic/*}
>/dev/null
>> 2>&1;
>> chmod 770 ${pfx}/var/named/{data/*/.,slaves/*/.,dynamic/*/.}
>> >/dev/null 2>&1;
>>
>> Lovely.
>>
> Heh, that's indeed lovely. And yea, I've got named configured to
run
> in chroot as it is the default nowadays (at least on Fedora).
>
>You should note that the 'dynamic' subfolder contents are set to mode
>660.
>Move your updateable zone files there and update the referenced paths in
>named.conf accordingly.
>
>Chris
>

Could you clarify your statement for me please?

1. Othe than my zone files, what else goes into /var/named/chroot/var/named/dynamic ?

2. My named.conf resides in /var/named/chroot/etc, so I need to make changes to point to the path --> /var/named/chroot/var/named/dynamic ?

Thanks,





--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-19-2008, 05:50 PM
Gijs
 
Default bind update keeps messing up write-rights

Ed Warner wrote:

Message: 7
Date: Sat, 19 Jul 2008 06:26:53 -0400
From: "Christopher K. Johnson" <ckjohnson@gwi.net>
Subject: Re: bind update keeps messing up write-rights
To: For users of Fedora <fedora-list@redhat.com>
Message-ID: <4881C16D.7010606@gwi.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Gijs wrote:


Sam Varshavchik wrote:


Gijs writes:



Hey List,

Not sure why this is happening so perhaps someone can explain this









to me.
Whenever I update bind it messes up/resets access rights on my




zone




files. Now normally this wouldn't be a bad thing, but because




I have




dynamic updates on, for which named creates journalizing files, I
end up having non-writeable journalizing files. So after every
update I end up having to manually change the access rights on my
jnl files.

Is anyone else having the same problem and/or is it supposed to be









like this?


You must have bind configured to run in chroot.

rpm's %post script runs /usr/sbin/bind-chroot-admin where, if you
have chroot configured, it runs this lovely bit of code:

chown -h root:named /var/named/* >/dev/null 2>&1;
chown -h root:named ${BIND_CHROOT_PREFIX}/var/named/* >/dev/null







2>&1;
chown -h root:named /etc/{named,rndc}.* >/dev/null 2>&1;
chown -h root:named ${BIND_CHROOT_PREFIX}/etc/{named,rndc}.*


/dev/null 2>&1;


chown -h named:named /var/log/named.log >/dev/null 2>&1;
chown -h named:named ${BIND_CHROOT_PREFIX}/var/log/named.log


/dev/null 2>&1;


chmod 750 ${pfx}/var/named >/dev/null 2>&1;
chmod 640 ${pfx}/var/named/* >/dev/null 2>&1;
chmod 750 ${pfx}/var/named/*/. >/dev/null 2>&1;
chmod 660 ${pfx}/var/log/named.log >/dev/null 2>&1;
chown -h named:named
/var/named/{data{,/*},slaves{,/*},dynamic{,/*}} >/dev/null



2>&1;



chown -h named:named
${BIND_CHROOT_PREFIX}/var/named/{data{,/*},slaves{,/*},dynamic{,/*}}


/dev/null 2>&1;


chmod 770 ${pfx}/var/named/{data,slaves,dynamic} >/dev/null



2>&1;



chmod 660 ${pfx}/var/named/{data/*,slaves/*,dynamic/*}


/dev/null


2>&1;
chmod 770 ${pfx}/var/named/{data/*/.,slaves/*/.,dynamic/*/.}


/dev/null 2>&1;


Lovely.



Heh, that's indeed lovely. And yea, I've got named configured to


run


in chroot as it is the default nowadays (at least on Fedora).

You should note that the 'dynamic' subfolder contents are set to mode
660.
Move your updateable zone files there and update the referenced paths in
named.conf accordingly.

Chris




Could you clarify your statement for me please?

1. Othe than my zone files, what else goes into /var/named/chroot/var/named/dynamic ?

2. My named.conf resides in /var/named/chroot/etc, so I need to make changes to point to the path --> /var/named/chroot/var/named/dynamic ?

Thanks

I cannot really clarify point 1, but I can somewhat clarify point 2.

In my named.conf I now have the following:

zone "0.168.192.in-addr.arpa" IN {

******* type master;

******* file "dynamic/named.0.168.192";

******* allow-update { key rndc; };

};



zone "home" IN {

******* type master;

******* file "dynamic/home.zone";

******* allow-update { key rndc; };

};



This allows named to find the zone files inside the dynamic folder.
Also, /var/named/chroot/etc/named.conf has a hardlink to
/etc/named.conf so that might be somewhat easier to type next time you
want to edit that file . And because named is running inside a
chroot, you cannot set the path to
"/var/named/chroot/var/named/dynamic" inside the named.conf. For named,
the chroot basically means that everything is running from the
/var/named/chroot directory. In other words, if you refer to
/var/named/dynamic inside your named.conf, it actually refers to
/var/named/chroot/var/named/dynamic.



Hope this makes sense



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-20-2008, 06:16 AM
Tim
 
Default bind update keeps messing up write-rights

On Sat, 2008-07-19 at 10:11 -0700, Ed Warner wrote:
> Othe than my zone files, what else goes
> into /var/named/chroot/var/named/dynamic ?

Nothing. Assuming we're already in the chroot, or we're not chrooting:

/var/named/
zone files that are set once, or manually altered.

/var/named/dynamic/
zone files that are automatically managed, such as by a DHCP server
(NB: The DNS server manages them, communicating with the DHCP server,
the DHCP server doens't directly manipulate the files).

/var/named/slaves/
zone files that will be externally managed by a master DNS server.

I seem to recall the data subdirectory being a location that the server
may dump data to (e.g. statistics).

Protective software, like SELinux, enforces the use of some of those
directories (the DNS server will not be allowed to write slave zone
files to anything other than the slaves subdirectory, etc.). You'll
probably find more and more segregation of things, as program authors
get more stringent about security, seeing as things like SELinux make
use of file location for setting rules, but zone files have variable
names depending on the zones, but directory names for all of them do not
change.

Have a look at <http://www.isc.org/index.pl?/sw/bind/FAQ.php>, skip down
to the part that mentions SELinux.

--
[tim@localhost ~]$ uname -r
2.6.25.10-86.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-20-2008, 05:00 PM
Ed Warner
 
Default bind update keeps messing up write-rights

>
> Message: 9
> Date: Sat, 19 Jul 2008 19:50:26 +0200
> From: Gijs <info@boer-software-en-webservices.nl>
> Subject: Re: bind update keeps messing up write-rights
> To: For users of Fedora <fedora-list@redhat.com>
> Message-ID:
> <48822962.5080202@boer-software-en-webservices.nl>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Ed Warner wrote:
> > Message: 7
> > Date: Sat, 19 Jul 2008 06:26:53 -0400
> > From: "Christopher K. Johnson"
> <ckjohnson@gwi.net>
> > Subject: Re: bind update keeps messing up write-rights
> > To: For users of Fedora <fedora-list@redhat.com>
> > Message-ID: <4881C16D.7010606@gwi.net>
> > Content-Type: text/plain; charset=ISO-8859-1;
> format=flowed
> >
> > Gijs wrote:
> >
> >> Sam Varshavchik wrote:
> >>
> >>> Gijs writes:
> >>>
> >>>
> >>>> Hey List,
> >>>>
> >>>> Not sure why this is happening so perhaps
> someone can explain this
> >>>>
> >
> >
> >>>> to me.
> >>>> Whenever I update bind it messes up/resets
> access rights on my
> >>>>
> > zone
> >
> >>>> files. Now normally this wouldn't be a
> bad thing, but because
> >>>>
> > I have
> >
> >>>> dynamic updates on, for which named
> creates journalizing files, I
> >>>> end up having non-writeable journalizing
> files. So after every
> >>>> update I end up having to manually change
> the access rights on my
> >>>> jnl files.
> >>>>
> >>>> Is anyone else having the same problem
> and/or is it supposed to be
> >>>>
> >
> >
> >>>> like this?
> >>>>
> >>> You must have bind configured to run in
> chroot.
> >>>
> >>> rpm's %post script runs
> /usr/sbin/bind-chroot-admin where, if you
> >>> have chroot configured, it runs this lovely
> bit of code:
> >>>
> >>> chown -h root:named /var/named/*
> >/dev/null 2>&1;
> >>> chown -h root:named
> ${BIND_CHROOT_PREFIX}/var/named/* >/dev/null
> >>>
> >
> >
> >>> 2>&1;
> >>> chown -h root:named /etc/{named,rndc}.*
> >/dev/null 2>&1;
> >>> chown -h root:named
> ${BIND_CHROOT_PREFIX}/etc/{named,rndc}.*
> >>>
> >>>> /dev/null 2>&1;
> >>>>
> >>> chown -h named:named /var/log/named.log
> >/dev/null 2>&1;
> >>> chown -h named:named
> ${BIND_CHROOT_PREFIX}/var/log/named.log
> >>>
> >>>> /dev/null 2>&1;
> >>>>
> >>> chmod 750 ${pfx}/var/named >/dev/null
> 2>&1;
> >>> chmod 640 ${pfx}/var/named/* >/dev/null
> 2>&1;
> >>> chmod 750 ${pfx}/var/named/*/.
> >/dev/null 2>&1;
> >>> chmod 660 ${pfx}/var/log/named.log
> >/dev/null 2>&1;
> >>> chown -h named:named
> >>>
> /var/named/{data{,/*},slaves{,/*},dynamic{,/*}}
> >/dev/null
> >>>
> > 2>&1;
> >
> >>> chown -h named:named
> >>>
> ${BIND_CHROOT_PREFIX}/var/named/{data{,/*},slaves{,/*},dynamic{,/*}}
>
> >>>
> >>>> /dev/null 2>&1;
> >>>>
> >>> chmod 770
> ${pfx}/var/named/{data,slaves,dynamic} >/dev/null
> >>>
> > 2>&1;
> >
> >>> chmod 660
> ${pfx}/var/named/{data/*,slaves/*,dynamic/*}
> >>>
> >> /dev/null
> >>
> >>> 2>&1;
> >>> chmod 770
> ${pfx}/var/named/{data/*/.,slaves/*/.,dynamic/*/.}
> >>>
> >>>> /dev/null 2>&1;
> >>>>
> >>> Lovely.
> >>>
> >>>
> >> Heh, that's indeed lovely. And yea, I've
> got named configured to
> >>
> > run
> >
> >> in chroot as it is the default nowadays (at least
> on Fedora).
> >>
> >> You should note that the 'dynamic'
> subfolder contents are set to mode
> >> 660.
> >> Move your updateable zone files there and update
> the referenced paths in
> >> named.conf accordingly.
> >>
> >> Chris
> >>
> >>
> >
> > Could you clarify your statement for me please?
> >
> > 1. Othe than my zone files, what else goes into
> /var/named/chroot/var/named/dynamic ?
> >
> > 2. My named.conf resides in /var/named/chroot/etc, so
> I need to make changes to point to the path -->
> /var/named/chroot/var/named/dynamic ?
> >
> > Thanks
> I cannot really clarify point 1, but I can somewhat clarify
> point 2.
> In my named.conf I now have the following:
> zone "0.168.192.in-addr.arpa" IN {
> type master;
> file "dynamic/named.0.168.192";
> allow-update { key rndc; };
> };
>
> zone "home" IN {
> type master;
> file "dynamic/home.zone";
> allow-update { key rndc; };
> };
>
> This allows named to find the zone files inside the dynamic
> folder.
> Also, /var/named/chroot/etc/named.conf has a hardlink to
> /etc/named.conf
> so that might be somewhat easier to type next time you want
> to edit that
> file . And because named is running inside a chroot, you
> cannot set
> the path to "/var/named/chroot/var/named/dynamic"
> inside the named.conf.
> For named, the chroot basically means that everything is
> running from
> the /var/named/chroot directory. In other words, if you
> refer to
> /var/named/dynamic inside your named.conf, it actually
> refers to
> /var/named/chroot/var/named/dynamic.
>
> Hope this makes sense

It made sense thanks. I changed my named.conf file and relocated my zone files and it seems to work except for a message I get when I restart named.

It says my working directory is not writable. My directory in named.conf is "/var/named" Is this the directory the warning is coming from? What should the permissions be?
Thanks,




--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-20-2008, 07:44 PM
Gijs
 
Default bind update keeps messing up write-rights

Ed Warner wrote:


Message: 9
Date: Sat, 19 Jul 2008 19:50:26 +0200
From: Gijs <info@boer-software-en-webservices.nl>
Subject: Re: bind update keeps messing up write-rights
To: For users of Fedora <fedora-list@redhat.com>
Message-ID:
<48822962.5080202@boer-software-en-webservices.nl>
Content-Type: text/plain; charset="iso-8859-1"

Ed Warner wrote:


Message: 7
Date: Sat, 19 Jul 2008 06:26:53 -0400
From: "Christopher K. Johnson"


<ckjohnson@gwi.net>


Subject: Re: bind update keeps messing up write-rights
To: For users of Fedora <fedora-list@redhat.com>
Message-ID: <4881C16D.7010606@gwi.net>
Content-Type: text/plain; charset=ISO-8859-1;


format=flowed


Gijs wrote:



Sam Varshavchik wrote:



Gijs writes:




Hey List,

Not sure why this is happening so perhaps





someone can explain this















to me.
Whenever I update bind it messes up/resets





access rights on my










zone





files. Now normally this wouldn't be a





bad thing, but because










I have





dynamic updates on, for which named





creates journalizing files, I





end up having non-writeable journalizing





files. So after every





update I end up having to manually change





the access rights on my





jnl files.

Is anyone else having the same problem





and/or is it supposed to be















like this?



You must have bind configured to run in




chroot.




rpm's %post script runs




/usr/sbin/bind-chroot-admin where, if you




have chroot configured, it runs this lovely




bit of code:




chown -h root:named /var/named/*



/dev/null 2>&1;



chown -h root:named




${BIND_CHROOT_PREFIX}/var/named/* >/dev/null












2>&1;
chown -h root:named /etc/{named,rndc}.*



/dev/null 2>&1;



chown -h root:named




${BIND_CHROOT_PREFIX}/etc/{named,rndc}.*







/dev/null 2>&1;



chown -h named:named /var/log/named.log



/dev/null 2>&1;



chown -h named:named




${BIND_CHROOT_PREFIX}/var/log/named.log







/dev/null 2>&1;



chmod 750 ${pfx}/var/named >/dev/null




2>&1;




chmod 640 ${pfx}/var/named/* >/dev/null




2>&1;




chmod 750 ${pfx}/var/named/*/.



/dev/null 2>&1;



chmod 660 ${pfx}/var/log/named.log



/dev/null 2>&1;



chown -h named:named





/var/named/{data{,/*},slaves{,/*},dynamic{,/*}}


/dev/null







2>&1;




chown -h named:named





${BIND_CHROOT_PREFIX}/var/named/{data{,/*},slaves{,/*},dynamic{,/*}}








/dev/null 2>&1;



chmod 770




${pfx}/var/named/{data,slaves,dynamic} >/dev/null








2>&1;




chmod 660




${pfx}/var/named/{data/*,slaves/*,dynamic/*}







/dev/null



2>&1;
chmod 770




${pfx}/var/named/{data/*/.,slaves/*/.,dynamic/*/.}







/dev/null 2>&1;



Lovely.




Heh, that's indeed lovely. And yea, I've



got named configured to






run



in chroot as it is the default nowadays (at least



on Fedora).



You should note that the 'dynamic'



subfolder contents are set to mode



660.
Move your updateable zone files there and update



the referenced paths in



named.conf accordingly.

Chris




Could you clarify your statement for me please?

1. Othe than my zone files, what else goes into


/var/named/chroot/var/named/dynamic ?


2. My named.conf resides in /var/named/chroot/etc, so


I need to make changes to point to the path -->
/var/named/chroot/var/named/dynamic ?


Thanks


I cannot really clarify point 1, but I can somewhat clarify
point 2.
In my named.conf I now have the following:
zone "0.168.192.in-addr.arpa" IN {
type master;
file "dynamic/named.0.168.192";
allow-update { key rndc; };
};

zone "home" IN {
type master;
file "dynamic/home.zone";
allow-update { key rndc; };
};

This allows named to find the zone files inside the dynamic
folder.
Also, /var/named/chroot/etc/named.conf has a hardlink to
/etc/named.conf
so that might be somewhat easier to type next time you want
to edit that
file . And because named is running inside a chroot, you
cannot set
the path to "/var/named/chroot/var/named/dynamic"
inside the named.conf.
For named, the chroot basically means that everything is
running from
the /var/named/chroot directory. In other words, if you
refer to
/var/named/dynamic inside your named.conf, it actually
refers to
/var/named/chroot/var/named/dynamic.

Hope this makes sense



It made sense thanks. I changed my named.conf file and relocated my zone files and it seems to work except for a message I get when I restart named.

It says my working directory is not writable. My directory in named.conf is "/var/named" Is this the directory the warning is coming from? What should the permissions be?
Thanks

If you have zone files that need to be changed dynamically (which I
assume you have, since named wants to write something), you need to put
them into /var/named/chroot/var/named/dynamic. And as in my former
reply, change the "file" option of your zone file to
"dynamic/name_of_your_zonefile.zone". After you restart named, it
shouldn't be warning you about a directory not being writeable, since
the dynamic directory is writeable specifically for the purpose of
dynamic zone files.



The permissions I have on my directories should be the same as on your
system, but here they are:

[root@poseidon var]# ls -ld named/

drwxrwx--- 5 root named 4096 2008-07-19 13:20 named/

[root@poseidon var]# ls -l named/ | grep "^d"

drwxrwx--- 2 named named 4096 2004-08-25 22:51 data

drwxrwx--- 2 named named 4096 2008-07-19 13:20 dynamic

drwxrwx--- 2 named named 4096 2004-07-27 16:57 slaves





--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-20-2008, 08:10 PM
g
 
Default bind update keeps messing up write-rights

Gijs,

from looking at headers in your reply, your are using;


User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)


would you please open your address book and change settings for this
list to 'prefers to receive messages formatted as: plain text'

also, please remove history that is unrelated to your reply.

because you sent both plain text and html, you reply contained
27,772 bytes.

after removing html and cutting history, your reply reduced to 4,525.

that converts to 23,247 bytes of wasted bandwidth and storage.

i and many others thank you for your co-operation.

--

tc,hago.

g
.

in a free world without fences, who needs gates.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-21-2008, 09:08 AM
Gijs
 
Default bind update keeps messing up write-rights

g wrote:

Gijs,

from looking at headers in your reply, your are using;


User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)


would you please open your address book and change settings for this
list to 'prefers to receive messages formatted as: plain text'

also, please remove history that is unrelated to your reply.

because you sent both plain text and html, you reply contained
27,772 bytes.

after removing html and cutting history, your reply reduced to 4,525.

that converts to 23,247 bytes of wasted bandwidth and storage.

i and many others thank you for your co-operation.


Never really occured to me, but it should be ok now.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 07-21-2008, 10:57 AM
g
 
Default bind update keeps messing up write-rights

Gijs wrote:

Never really occured to me, but it should be ok now.


looks great here. i do thank you.

once again, i shall see your needs and words of wisdom. )

later.


--

tc,hago.

g
.

in a free world without fences, who needs gates.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 10:17 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org